[Dshield] RedHat systems seem to originate a lot of port 1433 attacks

Thomas Liston tliston at premmag.com
Wed May 22 20:56:15 GMT 2002


I went and fetched an HTTP HEAD on the 46 unique IPs I've seen here 
over the past 10 days. Of the 46, I got responses from 38.  Of the 
38, ALL were IIS boxes with the exception of 1:

WebLogic WebLogic Server 6.1 SP2  12/18/2001 11:13:46 #154529

I don't see any indication of this coming from non-MS platforms.

-TL

On 22 May 2002 at 13:06, Micheal Patterson wrote:

> That's precisely why I stopped attempting to notify remote networks of
> suspicious behavior. Many don't want to accept that they're passing infected
> files/packages through their network. Others in various countries see it as
> an insult to their abilities to manage their network if you simply inform
> them that there may be an infected system within their network. I've been
> doing this for some time now and I've always been of the mindset that even
> though I've never had a breached system that I maintain, I always assume
> that it will happen. If it does, I'll be prepared. If it doesn't, then I'm
> still prepared.
> 
> --
> 
> Micheal Patterson
> Network Administration
> Cancer Care Network
> 405-733-2230
> 
> ----- Original Message -----
> From: "Jon R. Kibler" <Jon.Kibler at aset.com>
> To: <list at dshield.org>
> Cc: "Samantha Fetter" <sama at enteract.com>
> Sent: Wednesday, May 22, 2002 12:35 PM
> Subject: [Dshield] RedHat systems seem to originate a lot of port 1433
> attacks
> 
> 
> > Samantha Fetter wrote:
> > >
> > > I've been informed that an exploit came out 2 days ago called SQLSmack,
> a
> > > UNIX based remote command execution for mssql.
> > >
> > > Cheers,
> > > Samantha
> > >
> >
> >
> > This seems consistent with what we have been seeing. At least half of the
> systems hitting us (actually, all but a couple of the systems where someone
> was willing to talk to us!) were RedHat Linux systems.
> >
> > There seems to be  A LOT of denial concerning this problem. We have
> received several angry phone calls and emails from people who our IDS
> notified that they were infected -- claiming that we were falsely accusing
> them and that they had never heard of a SQL Server worm or virus. Several
> were refusing to believe us when we sent them logs or packet dumps -- with
> some even refusing to allow us to send them additional evidence! I have
> NEVER seen such a problem before... Even with Code Red people were willing
> to believe they had a problem even though they never heard of it! Must be
> getting close to the full moon or something...
> >
> > Jon Kibler
> > --
> > Jon R. Kibler
> > Systems Architect
> > Advanced Systems Engineering Technology, Inc.
> > Charleston, SC  USA
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


Tom Liston, GSEC
Network Administrator
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net




More information about the list mailing list